To make it worse, SMS is incredibly insecure. Nothing should send you codes via SMS

Theoretically sure, but the chances of anyone getting their SMS hacked and their 2FA code being used to compromise their account is so infinitesimally small that it’s not even worth mentioning.